Monitoring deep, dark and surface web to detect exposure of your sensitive data, secret projects and initiatives, privileged users, critical systems, IT infrastructure, and more.
Monitoring and alerting of third party data breaches impacting your employees’ emails, usernames, and personally identifiable information.
Assess the risk footprint and security posture of key business relationships to get a handle on external risk introduced through your extended attack surface.

Sign Up for Updates

Digital risk monitoring of key personnel with telemetry and risk metrics. VIPRecon provides broad coverage of social media, deep and dark web, as well as physical threat assessments.
Our Ransomware Response Readiness Assessment, Playbook and Table Top Exercise gives your organization the best chance to survive and recover.
Gain visibility of your digital footprint by reaching into the most active areas of the cyber underground.
Fully managed and tailored Threat Intelligence services that becomes an extension of your current security processes and provides real-time visibility on new threats.
Providing research and investigations into known threats, to save security teams time and stress during a cyber emergency.

Sign Up for Updates

GroupSense offers a comprehensive package of services for assessing and responding to ransomware attacks, including negotiations with threat actors.
Actively researching and monitoring threats from vendors or third-party companies that can affect organizational security.
Monitoring for threats to elections, VIPs, and more on social media to proactively prevent or mitigate digital risk.
Focusing on the threats and risks that matter to your security processes and providing intelligence and insights to prevent or mitigate digital risk.
Taking the next step in security services, by proactively taking down phishing sites or anonymously interacting with threat actors to provide better intelligence.
Active monitoring of your brand's digital assets to protect its reputation and stop further brand abuse from targeting unsuspecting victims.

Sign Up for Updates

Combining your cyber and fraud programs to effectively fight threat actors continually scamming or threatening assets within an organization.
Executives are prime targets for fraudulent activities, but with a proactive approach, any attacks or threats can be neutralized before causing any damage.
Governments, political parties and candidates must all act now to activate cyber threat intelligence services to harden their information security and get ahead of inevitable cyber threats to the election process.
5 min read

A Disgruntled Threat Actor Provides a Behind-the-Scenes Look at a Ransomware Group’s Playbook

Aug 6, 2021 2:09:02 PM

Background

On 5 August 2021, a seemingly disgruntled Russian-speaking threat actor claiming to work as an affiliate for the popular ransomware group Conti leaked on the underground forum XSS a 113 MB archive of training materials and tools allegedly used by Conti to conduct its ransomware attacks (Figure 1). 

The actor, using the alias m1Geelka, claimed Conti underpays its penetration testers at just $1,500 an attack, while the core of the group reap much larger earnings for themselves. In addition to the leaked materials, m1Geelka also published contact information of two Conti operators and four IP addresses of Conti command & control (C2) servers. m1Geelka also stated that unlike Conti, other Ransomware-as-a-Service (RaaS) groups treat their employees “honestly” and listed two other groups, Cl0p and REvil, as examples.

Figure 1-Conti_Playbook

Figure 1: Initial post by m1Geelka on the forum XSS [contact information redacted by GroupSense]

Ransomware Group’s Vacancy Announcement: Evening Shift, Monday thru Friday. Paid Holidays.

While GroupSense has been unable to independently corroborate whether m1Geelka was affiliated with Conti, we assess with moderate confidence that the extensive details in the leaked materials, coupled with the actor’s previous messages make m1Geelka a credible source. We believe the leaked materials are genuine and provide a valuable behind-the-scenes look at how ransomware groups operate.

  • m1Geelka has been active on the XSS forum since April 2020, and in the days prior to the 5 August leak, the actor posted messages on the forum recruiting pen testers with experience in Windows networks (Figure 2).
  • In the 5 August post complaining about Conti’s activities, m1Geelka also pointed to the recruitment efforts of a separate XSS forum user, IT_work, who had in previous months posted messages recruiting for penetration testers and also offering payment upwards of $1,500 (Figure 3). We surmise that IT_Work is a recruiter for Conti or another similar ransomware group. The requirements shed some light on how these groups’ structure emulates legitimate business: the vacancy announcement states “The work is 5 days a week with weekends off, with a schedule from 3:00 pm to 1:00 am. Paid holidays.”

Figure 2-Conti_Playbook

Figure 2: On 2 August 2021, m1Geelka posted a message recruiting pentesters of Windows networks, and with experience with Active Directory and the Cobalt Strike framework. Paying $1,500+

Figure 3-Conti_Playbook

Figure 3: Actor IT_Work is a suspected recruiter for Conti or another ransomware group identified by m1Geelka. In June 2021, IT_Work posted a vacancy announcement to XSS stating that they required pen testers who have knowledge of Active Directory structure; understanding of NAT, proxy, socks, http/https,ssh; understanding of network protocols; knowledges of any programming language; familiarity with pentesting concepts. The work is 5 days a week with weekends off, with a schedule from 3:00 pm to 1:00 am. Paid holidays.

Training Material Sheds Light Into Ransomware Operators’ Playbook

Tools

The leaked training materials, written in Russian, show the tactics, techniques, and procedures used by the group. We note that the materials make frequent references to the popular penetration testing tool Cobalt Strike. In addition, the manuals discuss the following tools:

  • Metasploit: A penetration testing framework
  • Mimikatz: One of the most powerful password harvesting tools in existence 
  • Armitage: A visualization tool for Metasploit
  • PowerView: a series of functions that performs network and Windows domain enumeration and exploitation.
  • PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server 
  • AnyDesk: A remote desktop application
  • Rclone: Used for exfiltration; provides an easy and effective way of copying data to an array of cloud storage providers. 

Tactics, Techniques, and Procedures (TTPs)

Some of the training documents briefly discuss how to maintain anonymity. One document states that the “task is not to hide (as it does not work), but rather to merge with the crowd” The material advises the threat actors not to disable features such as Javascript, Flash, as it will draw more attention. A separate document advocates for the use of Whonix, a privacy oriented Debian Linux operating system that forces communications through the Tor network.

The actors also list a small number of common passwords and password patterns that are often encountered in corporate environments. They list the following passwords:

  • Password1
  • Hello123
  • password
  • Welcome1
  • banco@1
  • training
  • Password123
  • job12345
  • spring
  • Food1234
One training document also states that threat actors should try passwords that are variations of recent months and the current year. The document states “We also recommend using wordlists based on the seasons and the current year. Considering that passwords are changed every three months, you can create a “buffer” to generate such a sheet. For example, if we’re in August 2020, we create a wordlist with the following content:
  • June2020
  • July2020
  • August20
  • August2020
  • Summer20
  • Summer2020
  • June2020!
  • July2020!
  • August20!
  • August2020!
  • Summer20!
  • Summer2020!”

Another training document states that after escalating privileges and finding the admin’s domain, Cobalt Strike should be launched. The training manual states “We are interested in: financial documents,accounting, I.T., clients, projects, and so forth. It all depends on what line of business our target is in.”
The threat actors also recommend changing the RDP (Remote Desktop Protocol) port to 1350 TCP/UDP.

They discuss escalating privileges to a server with Shadow Protext SPX (StorageCraft). StorageCraft ShadowProtect SPX is a backup and disaster recovery product.

We also observed one file discussing the exploitation of CVE-2020-1472 Zerologon (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472

Threat Group has Potential Ties to Ukraine

While the leaked manuals are all in Russian, GroupSense observed that one of the words in a filename is not in Russian (Figure 4). Instead, the word “сетïь” shows up as Serbian, according to Google translate. However, it is more likely that this is a typo from a Ukrainian keyboard as the double dotted ï is prominent in the Ukrainian language. Ukrainians frequently converse in both Russian and Ukrainian.

Figure 4-Conti_Playbook

Figure 4: One of the files contains a word that is not Russian; this word appears to be Serbian for “network”

Recommendations

GroupSense recommends avoiding common mistakes that can enable ransomware groups from gaining a foothold into your network. For example, the simple passwords highlighted in the leaked training manuals should not meet the minimum enterprise password requirements. System administrators should also set up rules in place to monitor for unusual activity, paying close attention to the tools highlighted above. GroupSense offers additional ransomware services and mitigation guidelines, available at groupsense.io

Topics: Blog Ransomware

Written by Editorial Team

Featured